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Consultation on Guideline 07/2020 


Dear members of the European Data Protection Board! 


| would like to participate as an individual in your consultation on Guideline 07/2020. My feedback 
reflects my personal views based on my experience as END for the European Commission and more 
than 10 years working for an international active company. 


1. WP 169 


| welcome Guideline 07/2020 since it stipulates many facts and gives good advice, especially with 
regard to joint controllers. Its “predecessor”, WP 169, is most likely one of the most important and best 
in the history of Working Party 29. WP 169 explains in an almost perfect way the history and 
development of the key terms of European data protection concept. This is the key to understanding 
the autonomous European concepts.? Having said this, | am convinced that it would be a pity to 
“simply” replace WP 169 as proposed ? by the new Guideline. A declaration that still recognizes WP 
169 as - partially - valid would be very useful. 





2. “determines” 


The aim of the concept of the controller is to allocate responsibility? which means that there may not 
exist “non-responsible” processing of person data. “Determines” therefore tends to mean “being 
responsible for’ data processing which, particular in case of joint controllers only, might be the case 
for one or few processing activities. This aspect could perhaps be emphasized more strongly than it 
is currently formulated in section 55. 


3. Processing within companies belonging to a group 


Some clarifications concerning various situations processing personal data in a group of companies, 
which | have specified below, would be more than welcome. 


1 Guideline 07/2020 section 13 
2 Guideline 07/2020 section 4 
3 Guideline 07/2020 section 12 
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(1) Group companies are individual controllers when they let process personal data of their 
employees by one group companies which is specialized e.g. on HR administration topics. In this 
case the latter is processor for other group companies.* 

(2) All group companies are joint controllers if they manage a pool of potential candidates who 

wish to work for the group and who agree that their CV and other relevant information can be seen 

and used by group companies in focus of the candidates. This changes when a potential 
candidate applies for a concrete job in a single group company which acts then as controller. 
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(3) When stipulated in a Controller-Processor Agreement (CPA) processors can propose new or 
additional sub-processor which are regarded as accepted sub-processor when controller does not 
object (general authorization approach).° Similar to this situation, one group company (a 
controller) could be authorized by other group companies (controllers) to act for them in a legally 
binding manner, e.g. to enter into CPAs or to give their processors instructions in a harmonized 


manner (power of attorney approach). 
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4. Joint controllers and connected vehicles 


When “processing is not be possible without both parties participation in the sense that the processing 
by each party is inseparable, i.e. inextricably linked,” then vehicle manufacturers and freight 
forwarders are joint controllers if, during a tour, data are permanently generated, transmitted and 
stored in a cloud to which both parties have access. Since “Guidelines 1/2020 on processing personal 
data in the context of connected vehicles and mobility related applications” does not specify in detail 
that joint control often exists in connection with connected vehicles, it would be useful to explain this in 
Directive 07/2020 by means of an example. 


It is no secret that there are many joint controllers who are reluctant to accept a joint controller 
constellation because of the joint liability. Whether this fear is justified or not will not be discussed 
here. However, at least among vehicle manufacturers, this fear could be allayed, considering that 
Article 11 GDPR might be applicable to them and that the scope of joint liability is limited to joint 
processing activities. 


5. Controller-Processor Aqreements 


A CPA should be a “written" contract.’ This requirement had been understood - at least in Germany - 
to mean that the handwritten signature was a decisive element of the contract. It cannot therefore be 
stressed enough that "in writing" should be understood as "in documented form", similar to the wording 
of Article 17(4) of Directive 95/46/EC. The principle of liability of Article 5(2) GDPR requires nothing 
more and nothing less. 


The existence of the "national security clause"? in Article 28 (3) (a) GDPR was often not considered 
as a real requirement by data controllers and processors. This has changed with the "Schrems II" 
judgment of the ECJ. The standard contractual clauses provide for legal consequences if there is a 
risk that the application of essential principles of European data protection cannot be guaranteed. 
Such clear instructions cannot be expected. However, some enlightening recommendations would 
certainly be welcome for CPA constellations within the EU. 


Kind regards 
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